SAML Integration Overview
Purpose
This guide provides technical specifications for software developers at Financial Institutions or Third-Party vendors who are integrating custom content into their online and mobile applications with Candescent Digital Banking Products. Integration with Candescent Digital Banking's Federation Gateway Services requires that the partner adhere to SAML (Security Assertion Markup Language) SSO (single sign-on) standards.
This document describes the content integration options, as well as provides Candescent Digital Banking SAML assertion data and guidelines. This document does not supersede OASIS standards specifications. For more information about the SAML specification, please refer to www.oasis-open.org.
Integration Model
As an industry standard, SAML is the integration model that Candescent Digital Banking supports for securely passing authenticated user data from one application to another. SAML exchanges authentication and authorization between Candescent Digital Banking (the Identity Provider) and the Partner (the Service Provider). This enables users to access Partner applications from the Candescent Digital Banking platform without having to sign in a second time.
Candescent Digital Banking currently supports several SAML Profiles, while standardizing on the preferred SAML 2.0 POST Profile.
Content Integration Options
Online and Mobile Pages and Widgets
Using SAML integration, third parties can develop custom feature pages or widgets specifically designed to run within the Candescent Digital Banking environment. In general, this kind of integration dictates that:
- The look and feel of the third-party feature page or widget adhere to standards specified for Online Banking
- The third-party app should use the session keep-alive URL to make sure the Online Banking session does not timeout while the end user is engaged with the third-party app
UI style guides are available to assist developers in creating applications with a visual look and feel that matches online and mobile banking.
The custom feature pages or widgets are web applications hosted at the third party or FI. Any environment that can be used to build and host web applications can be used by the third party or FI.
Online Banking Page
Online banking SSO pages are launched when an end user clicks on a navigation item configured for the SSO. Navigation entries can be managed by the FI in the Admin Platform. An SSO navigation entry can be placed anywhere in the navigation structure.
Every time an end user clicks on an SSO navigation link, the system will initiate a fresh SAML SSO sequence. There is no attempt made to cache earlier SSO session information. SSO pages are loaded by online banking in the main frame below the navigation area, and all content in the frame must be provided by the custom web application.
Mobile Page
Mobile banking SSO pages are launched when an end user clicks on a navigation item configured for the SSO. These navigation entries are on the 'More' page in the mobile application. 'More' page navigation entries can be managed by the FI in the Admin Platform.
Every time an end user clicks on an SSO navigation link, the system will initiate a fresh SAML SSO sequence. There is no attempt made to cache earlier SSO session information. SSO pages are loaded by the mobile application in a web view, and all content in the view must be provided by the custom web application.
Home Page Widget
An SSO configured for a widget is launched when the enclosing page is loaded. So, an SSO configured for a widget on the home page will be launched every time the home page is loaded for an end user.
When an SSO is built for use with a home page widget, it must be designed to support high volume since it will be loaded every time a user logs in.
Every time the page loads, a new SAML SSO sequence will be initiated—there is no attempt to try and reuse earlier session information. The widget provides an empty iFrame, and all content for it must be provided by the SSO web application.
Stand-Alone Application SSO
The other mode of integration that can be used with SAML is to provide SSO (Single Sign-on) to existing applications. This mode is commonly used when a need exists to provide a simple integration between Online Banking and the third-party web app.
Project Kickoff
-
Partners are assigned a Candescent Integration Project Manager (PM) via Marketplace
-
Initial QA validation testing is required before any FI environment installation
-
Your PM will provide all necessary materials, including certificates and endpoint details
Checklist for Partners
-
Technical knowledge of SAML 2.0 and IdP-Initiated Web Browser SSO
-
Secure infrastructure for certificate management
-
Ability to process encrypted SAML assertions
-
Developer Console access (as provided by PM)
-
Prepared to securely store certificates and SAML configuration
Contacts & Support
For questions or support, reach out to your assigned Candescent Integration PM via Marketplace. Your PM is your primary point of contact for all integration-related matters.